The National Incident Response Core Team acts as a mechanism for enabling business lines to work together on information technology issues, she said June 5 at a meeting of the Information Security and Privacy Advisory Board, which advises the National Institute of Standards and Technology, the Commerce Department and the Office of Management and Budget on information security and privacy issues.

The team includes representatives from the Veterans Health, Veterans Benefits and National Cemetery administrations; the IT division; and VA’s general counsel.

“You can’t do security in pockets,” Martinez said. “You have to do it across the enterprise.”

She has help getting VA organizations to participate. In response to the theft in 2006 of a laptop PC that contained sensitive information about millions of veterans, VA centralized its IT authority and development under the department’s chief information officer, who also has authority to enforce information security policy.

Furthermore, Martinez said, VA is the only department that has its own law governing information security and privacy breaches — the Veterans Benefits, Healthcare and IT Act of 2006, which requires the department to send quarterly report to Congress detailing its information security progress.

The CIO’s office receives daily reports on any incidents that come through its security operations center. The inspector general’s office also has access to the incident database, Martinez said, adding that her team removes personally identifiable information from the incident information before analyzing it and generating weekly reports.

The team meets weekly to review the reports and discuss trends and the potential impact on VA and its individual business lines. The team members then deliver the analysis to their managers, she said.

“We have to get educated together when you look at trends,” she said. “It helps to change culture.”

VA’s information security law and its centralized environment are unlike the experience at most other large agencies, said Ed Meagher, deputy CIO at the Interior Department and formerly VA’s deputy CIO. Agencies typically don’t have a command-and-control environment in which the secretary can mandate activities related to information security, he added.